Professional Documents
Culture Documents
10 1108 - Maj 08 2014 1072
10 1108 - Maj 08 2014 1072
www.emeraldinsight.com/0268-6902.htm
Rainer Lenz
Louvain School of Management, Université catholique de Louvain,
Louvain-la-Neuve, Belgium, and
Ulrich Hahn
Frankfurt am Main, Germany
Abstract
Purpose – The purpose of this paper is to provide a synopsis of what academic literature says about
internal audit (IA) effectiveness ten years after Bailey et al. (2003) presented research opportunities in
IA. A new set of research questions that may help to bring the best out of IA is proposed.
Design/methodology/approach – Empirical studies based on internal auditors’ self-assessments
(“inside-out”) and empirical studies based on other stakeholders’ perspectives (“outside-in”) are
reviewed through an “effectiveness lens”. The “outside-in” perspective is regarded as particularly
valuable.
Findings – First, common themes in the empirical literature are identified. Second, the main threads
into a model comprising macro and micro factors that influence IA effectiveness are synthesized. Third,
promising future research paths that may enhance IA’s value proposition were derived.
Practical implications – The “outside-in” perspective indicates a disposition to stakeholders’
disappointment in IA: IA is either running a risk of marginalization (IIA, 2013; PWC, 2013) or has to
embrace the challenge to emerge as a recognized and stronger profession. The suggested research
agenda identifies empirical research threads that can help IA practitioners to make a difference for their
organization, be recognized, respected and trusted and help the IA profession in its pursuit of creating
a unique identity. This paper wishes to motivate researchers to explore innovative research strategies
and probe new theories, as well as benefit from cross-fertilization with other research streams.
Originality/value – This paper summarizes the state of research on IA effectiveness and proposes a
guide for future IA research. It provides pointed questions that may further advance the understanding
of what constitutes IA and how IA can enhance its value proposition.
Keywords Effectiveness, Relationship, Relevance, Internal audit, Stakeholder, Profession,
New research opportunities
Paper type Conceptual paper
JEL classification – M4
The authors would like to thank the participants at the 11th European Academic Conference on
Internal Audit and Corporate Governance in Oslo in April 2013 for feedback on an earlier version Managerial Auditing Journal
Vol. 30 No. 1, 2015
of this paper. In particular, the authors would like to acknowledge the very helpful comments pp. 5-33
provided by Arno Nuijten (Erasmus University Rotterdam). Moreover, the authors thank David C. © Emerald Group Publishing Limited
0268-6902
Jackson (HuiZhou University, China) for proof reading our manuscript. DOI 10.1108/MAJ-08-2014-1072
MAJ 1. Introduction
30,1 A decade ago, Bailey et al. (2003) presented research opportunities in internal audit (IA)
that helped to advance IA by inspiring a growing academic IA community. Ten years
on, this paper provides an overview of what the relevant academic literature says about
IA effectiveness. Empirical studies based on internal auditors’ self-assessments and
empirical studies based on other stakeholders’ perspectives (“outside-in”) are reviewed
6 through an “effectiveness lens”. After identifying common themes, we synthesize the
main threads into a model that comprises macro and micro factors that influence IA
effectiveness. We then present an updated set of IA research opportunities. These
directions for future research constitute the main value of this paper.
Developing and maintaining organizational relevance are key challenges to any
support function including IA. Understanding what effectiveness and added value
mean, and appreciating the fundamental role of internal auditors, i.e. employees who are
not connected directly to the profit and loss account, is not an easy task (Nobel, 2010).
Presently, the perceived value and professional image of IA among stakeholders outside
the IA community is not where IA professionals and the IA profession would wish it to
be. When taking a closer look at reality (Anderson, 2009; KPMG, 2009; PWC, 2010; Ernst
& Young, 2012; Lenz and Sarens, 2012; PWC, 2013), a certain degree of disappointment
among IA stakeholders in regard to the role and relevance of IA before, in and after the
last financial crisis that started in 2007 cannot be ignored.
Anderson (2009, p. 26) summarizes:
Non-executive directors and Audit Committee chairmen are often surveyed and respond that:
Heads of internal audit are not up to the job, internal audit lacks adequate independence […]
They have not properly defined the role that they wish internal audit to fulfil.
KPMG (2009) concludes that only about one quarter of board and audit committee
members have the full knowledge of IA’s activities and are very confident that the
company’s IA function (IAF) delivers the value to the organization that it should. In the
vast majority of cases, IA activities and its value remain somewhat obscure. A study by
Ernst & Young (2012, p. 1) shows that 80 per cent of IAFs have potential for
improvement.
PWC (2010) suggests “internal audit must seize opportunities to enhance its
relevancy”. Lenz and Sarens (2012) point to the uncertainty about who is the chief
stakeholder of IA and the ambiguity of assurance and consulting services potentially
damaging the legitimacy and status of the IA profession. In 2013, based on observing
tightly interwoven phenomena of “stakeholder misalignment, a challenged capability
foundation and sub-optimal internal audit contribution”, PWC (2013, p. 4) alerts IA to
the “risk of becoming a marginalized function”.
The business community of internal auditors faces serious issues, which motivates
this paper. IA is at crossroads (IIA, 2013; PWC, 2013) to become either marginalized
between a variety of other assurance, compliance, and risk management functions or to
emerge as a recognized and stronger profession. The world of IA, especially the world of
IA consultancy, professional firms that are in the business of selling IA services, is full
of suggested answers and explanations about what IA should be and how it should
work. However, ultimately, we still know little about the most appropriate positioning of
IA. Core concepts like assurance are used in practice, but it can be questioned whether
there is a shared understanding of what it actually means. Why is that? Part of the
challenge is associated with IA being a credence good (Causholli, 2009) meaning Empirical
different things to different people, at different times and in different contexts. internal audit
Time is ripe to review the empirical body of knowledge regarding IA effectiveness,
identify and synthesize common themes and provide a new set of research questions
that may further advance our understanding of what constitutes IA and how IA can
enhance its value proposition. This paper suggests a new set of research questions that
can help to bring the best out of IA for we believe that scholarly research can contribute 7
to address fundamental issues influencing IA effectiveness.
In Section 2 of this paper, we review the existing empirical literature on IA
effectiveness. The paper is complementary to the work by Gramling et al. (2004) who
examined the literature related to IAF quality largely from the external auditors’
perspective. Section 3 synthesizes the main threads into a model that comprises macro
and micro factors that all influence IA effectiveness. In Section 4, we then offer a set of
new research opportunities in IA, clustered around major themes. These research
questions constitute the main contribution of this paper. Section 5 summarizes and
concludes.
2.1 The supply-side perspective: how internal auditors think about their role and
effectiveness?
The first stream reviews empirical literature addressing how internal auditors assess
themselves, their role and their effectiveness.
The role of the CAE and the skills and competencies of internal auditors,
organizational specifics, its politics and culture, support from senior management and
the impact of the board, directly or through the audit committee (AC), are regarded as
important factors.
2.1.1 High importance of the AC and the board. Empirical studies based on internal
auditors’self-assessments typically measure what can be counted including the
frequency and length of interaction (time), accounting proficiency and the
independence of the AC members, thereby differentiating between Executive and
Non-Executive Directors. Their profile/background, independence and their
willingness to work with and to involve IA are regarded as crucial factors impacting
the effectiveness of the IAF.
The working relationship between the internal auditor and a company’s AC has been
subject of academic research for many years, e.g. Rezaee and Lander (1993) view regular
interaction and an open dialogue as aiding the IAF to be most effective. The study by
Scarbrough et al. (1998) indicates that non-executive directors in AC are more likely to
establish a symbiotic relationship between the AC and the IAF, i.e. the AC support of the
IAF facilitates their work, and, in turn, the work of IA may enhance the effectiveness of
the AC.
Raghunandan et al. (2001) and Goodwin (2003) supplement this finding when
examining the association between AC composition and the interaction with IA
showing that the independence of the AC and also the level of finance and accounting
background/experience have a complementary impact upon AC relationships with IA.
Thus, AC’s with outside and independent directors and the extent of finance and
accounting expertise are viewed as positively correlated with more active oversight
evidenced by longer and more frequent meetings with the CAE, also providing possibly
informal access, and are arguably more likely to review the program and results of IA.
Thus, when there is an intense working relationship between the AC and the IAF, this is
Themes “Supply side” perspective Category
Empirical
internal audit
High importance of the ¡ Rezaee and Lander (1993), Scarbrough et al. IA relationships
audit committee and the (1998), Goodwin and Yeo (2001),
board Raghunandan et al. (2001), Goodwin (2003),
Rose and Norman (2008), Arena and
Azzone (2009a), Davies (2009), Norman
et al. (2010), de Zwaan et al. (2011)
9
Support from senior ¡ Gramling et al. (2004), Sarens and De IA relationships
management is critical Beelde (2006a), Mihret and Yismaw (2007),
Christopher et al. (2009), Halimah et al.
(2009), Cohen and Sayag (2010), Geis (2010)
Serving two (or more) ¡ Gramling et al. (2004), Chambers (2008), IA relationships
masters Beasley et al. (2009), Christopher et al.
(2009), Sarens et al. (2009), Hoos (2010),
Lenz and Sarens (2012)
Crucial role of CAE and ¡ Prawitt (2003), Van Peursem (2005), IA resources
the skills and Pforsich et al. (2006), Chambers (2008),
competencies of internal Pforsich et al. (2008), Mihret et al. (2010)
auditors
Organizational ¡ Sawyer (1995), Chanchani and MacGregor Organization,
characteristics matter (1999), Carcello et al. (2005), Ahmad and IA resources
including politics and Taylor (2009), Sarens and
culture, role ambiguity Abdolmohammadi (2009), Cohen and
and role conflict Sayag (2010), Mihret et al. (2010), Sarens
and Abdolmohammadi (2011), Fazli et al.
(2013)
IA is effective when it is ¡ Allegrini and D’Onza (2003), Spira and IA processes,
risk based Page (2003), Sarens and De Beelde (2006a), organization
Castanheira et al. (2010), Sarens et al.
(2012), Coetzee and Lubbe (2013)
Building blocks of internal ¡ Lenz et al. (2013) Organization,
audit characterisctics IA resources,
IA processes,
IA relationships
Themes “Demand side” perspective Category
Multiple outcomes of IA ¡ Dittenhofer (2001), Melville (2003), Mercer N/A
(2004), Kaplan and Schultz (2007),
Archambeault et al. (2008), Coram et al.
(2008), Hermanson et al. (2008), Holt and
DeZoort (2009), Prawitt et al. (2009)
IA is effective when ¡ Albrecht et al. (1988), Cooper et al. (1994), IA relationships
meeting expectations of Sarens and De Beelde (2006b), Lenz (2013)
management
IA is effective when ¡ Sarens et al. (2009), Soh and Martinov- IA relationships,
meeting expectations of Bennie (2011) IA resources
the board/AC
IA is effective when ¡ Felix et al. (2001), Krishnamoorthy (2002), IA relationships Table I.
meeting expectations of Felix et al. (2005) Cohen et al. (2010), Desai Review of the
external auditors and Desai (2010), Messier et al. (2011) empirical literature
(continued) on IA effectiveness
MAJ Themes “Supply side” perspective Category
30,1
IA is effective when ¡ Elliott et al. (2007), Arena and Azzone IA relationships
meeting expectations of (2009b)
auditees
Effective internal auditors ¡ Albrecht et al. (1988), Cahill (2006), IA resources
10 require skills and Rittenberg and Anderson (2006), Chambers
competences (2008), Mihret et al. (2010), Soh and
Table I. Martinov-Bennie (2011)
also expected to strengthen the independence and objectivity of the IAF (Goodwin and
Yeo, 2001). In addition, Arena and Azzone (2009a) show in an Italian setting that IA
effectiveness is positively related to a close link between IA and the AC.
Rose and Norman (2008) and Norman et al. (2010) point to potential unexpected and
adverse implications when the CAE reports directly to the AC. This constellation may
create threats to IA’s independence and objectivity stemming from the CAE’s career and
reputation concerns (especially when IA serves as a management training ground), the
overreaction of audit committee members and the possibility of retaliation by
management. Notably, it was shown, in an experiment, that when there is a strong
IA–AC relationship, internal auditors were not willing to report a breakdown in risk
procedures to the AC (de Zwaan et al., 2011). That conclusion was a surprise finding in
the study, giving the lie to the original hypothesis. The complex relationship between
the IAF and its various stakeholders seems not yet to be well understood. There can be
competing claims on IAF resources between management and the AC as the study by
Abbott et al. (2010, p. 23) shows. Further research is required to explore how the
management–IAF–AC relationship – and confusion about it – may divert the IAF’s
focus from serving the best interests of the company.
Whilst there is no full consensus on the CAE’s best reporting lines, there seems to be
consensus that an intense working relationship between the AC and the IAF per se is an
enabler of IA effectiveness.
The study by Davies (2009) investigates the working relationship between IAF and
the board predominantly from the perspective of the CAE, but also attempts to view the
relationship from the standpoint of the AC chairs. Davies (2009) shows that earning a
respected status within an organization may take considerable time for the IAF as the
working relationship between the AC and IA largely depends on the governance
framework, as well as on the individual personalities and their willingness to cooperate.
The research shows that there is a great degree of variability on both sides of the table,
in terms of what concerns the IAF and the AC. Davies’s (2009) study points to an
interesting notion, i.e. it makes a fundamental difference whether there is a board and/or
management that want the IAF to look at the right things and support it in doing so, or
board and/or management that is silent or actually impedes the IAF from becoming
effective and potentially unearthing issues that members do not want to be identified
and revealed. Such an IAF may then rather be viewed as “Cinderella function” (Davies,
2009, p. 61). Burns et al. (1994, p. 92) sees the risk that internal auditors are intimidated
by top management. Consequently, it is important that any CAE (or IA staff) unearthing
problems can confidently and reliably report them without the fear of intimation or
termination of their services or employment.
2.1.2 Support from senior management is critical. Sarens and De Beelde (2006a) Empirical
interviewing ten CAE of Belgian companies and subsidiaries of US firms point out that internal audit
the further the development of risk-based IA, the higher is the status of the IAF. To play
a more important role in risk management, support from other governance stakeholders,
especially from senior management, may typically be required. In the USA, the observed
higher interest of Chief Executive Officers (CEO) and Chief Financial Officers (CFO) in
risk management and internal controls is largely attributable to Sections 302 and 404 of 11
the Sarbanes–Oxley–Act (SOX), whereas in the Belgian context, corporate governance
requirements were only emerging, so “it is hard to convince people in [some Belgian]
organizations of the value of the internal audit function” (Sarens and De Beelde, 2006a,
p. 74).
Other academic studies support the critical impact that management support has on
IA effectiveness. For example, Mihret and Yismaw (2007) and Halimah et al. (2009),
when studying the Ethiopian and Malaysian public sector, respectively, and Cohen and
Sayag (2010, p. 304) studying determinants of IA effectiveness in Israeli organizations,
viewing the demand-driven organizational/managerial characteristics as the most
important factor (more important than the supply-led qualifications and work setting of
the IA staff) and crucial to the success of IA. Other determinants of IA effectiveness
derive from decisions made by senior management, i.e. when hiring proficient IA staff,
developing career channels for IA staff and providing organizational independence for
IA work.
The appreciation of IA by management is a crucial component identified by Geis
(2010), interviewing eight CAE, and studying potential benefits of IA in the German
context. This context is characterized by a two-tier board structure (management board
and separate supervisory board) and a corporate governance code building on
company-employed CAE typically reporting to the management board as the body held
responsible through company law for independently managing the enterprise. In the
meantime, the supervisory board sets up an AC to handle the monitoring of the
accounting process, the effectiveness of the internal control system, risk management
system and internal audit system and the audit of the annual financial statements and
compliance (German Corporate Governance Code, 2013, §5.3.2). In the first part, the
study suggests a number of indicators measuring effectiveness including, customer
survey of auditees, impact of IA findings on Earnings before Interest, Depreciation and
Amortization and liquidity, discovery of fraud, number of IA findings per country and
region, time between end of field work and delivery of report and the ratio of
recommendations being implemented (Geis, 2010, p. 95). Notably, in the second part, the
study builds on the work by Parasuraman et al. (1985), suggesting IA develop a
customer service-oriented process first identifying customers and their needs and then
seeking to meet their expectations. This model is based on the idea that the more the
expectation gap is narrowed, the more effectively its customers perceive IA to have
performed (Geis, 2010, p. 149). The study remains inconclusive about those expectations
which were not established due to the design of the study. Interestingly enough, the
study points to the potential challenge that customers of IA might only have vague
expectations, or no expectations at all, as well as to the danger to independence that such
suggested customer focus may entail (Geis, 2010, p. 125).
2.1.3 Serving two (or more) masters. Christopher et al. (2009) study the independence
of the IAF using evidence from Australia based on CAEs responses to a questionnaire.
MAJ The authors conclude that the independence of the IAF needs to be judged taking into
30,1 account its relationship with management and the AC in combination rather than
individually. When such a combined view is taken, the large number of independence
threats at the management relationship level may be contrasted by a small number or
even the absence of independence threats at the AC relationship level with independence
threats at the two different levels eventually compensating for each other. The findings
12 suggest that the IAF’s relationship with the AC is a stronger guarantee of independence
than the relationship with management; and that there may be an optimal degree of
intensity (Sarens et al., 2009) of the relationship with management.
The study also suggests that too much involvement and direction can become
harmful. Too little attention possibly represents a shortcoming as well. Further research
is warranted investigating which view actually prevails when IA is serving multiple
customers and whether there is an optimal degree of interaction with the AC, the board
and with management.
The work by Christopher et al. (2009) addresses the challenges in general when IA
tries to “serve two masters” (IIARF, 2003, p. 3) which is acknowledged as a potential
conflict by the IIA. Gramling et al. (2004, p. 240) suspect tension between the IAF, the AC
and executive management as they pose the question: “if the audit committee and
management have different visions for the corporate governance role of the IAF, which
vision will dominate?” Gramling et al. (2004, p. 240) presume that the IAF puts one client
first when posing the question on “which side of the line between the audit committee
and management does the IAF fall?”
Beasley et al. (2009, p. 114) highlight “the often nebulous, informal nature of internal
audit oversight by the audit committee and management (i.e. internal audit is overseen
by two parties)”. Chambers (2008) suggests the board is the ultimate customer of IA,
while acknowledging the importance of other governance stakeholders. According to
Chambers (2008), it is crucial to “get the boss right”, to clearly define the primacy of the
board as the chief stakeholder having oversight responsibilities. Consequently, he finds
that internal auditors must be independent of management if the board is to rely on
internal audits to provide the assurance the board needs. Otherwise, when serving two
masters (IIARF, 2003), the risk is that IA reports to the board are filtered by
management, in a way that only what is palatable to management is communicated.
Lenz and Sarens (2012, p. 540) recommend:
[…] focusing on one prime customer group foremost and aiming at satisfying the chief
stakeholder first and in full is an alternative approach to targeting multiple customers at the
same time and not satisfying anyone.
A study by Hoos (2010) suggests that internal auditors do give priority to either
management or the AC depending on the instructions of the CAE. That finding resulted
from an experiment in which the CAE assigns the IA staff to either prioritize the
management agenda (cost reduction) or the AC agenda (effectiveness). This study
underpins the crucial role of the CAE.
2.1.4 Crucial role of CAE and the skills and competencies of internal auditors. Prawitt
(2003) acknowledges that managing and staffing an IAF is a vast and complex
undertaking that remains relatively unexplored by rigorous research. Pforsich et al.
(2006 and 2008) present a case study, emphasizing the importance of the CAE when
setting up the IAF. The case study describes the steps that a company took when
establishing its IA department, which included finding a highly qualified CAE, defining Empirical
the IA department’s mission, developing the audit charter, staffing the department, internal audit
creating an overall audit strategy and assessing the department’s effectiveness. Criteria
applied to assess effectiveness included whether major projects were performed,
whether the IAF was receiving requests from the business units, whether business units
were willing to work with the internal auditors and client surveys. In particular, the
feedback from audit customers serves to better understand how the service rendered is 13
perceived. Such satisfaction surveys should be examined with due care, as they may
refer only to “how” the audit work has been perceived and thus assume among other
factors that the auditors were focusing on the issues that matter most to the firm. The
CAE in the case study reports directly to the AC and, for administrative purposes, to the
CFO. The paper helps understanding the sequence of actions taken when setting up an
IAF, what to do first and what to do well, and provides pointers to the key dimensions of
an effective IAF. The competencies of internal auditors matter, and when setting up an
IAF, it is recommended to start with the leader, the CAE.
Van Peursem (2005) views the internal auditor’s role to be an enigmatic one, being
both a watchdog and consultant. Her study is based on interviews of six IAFs in New
Zealand. She regards communication skills and personal authority as indicators of
successful internal auditors who are, moreover, able to define their role by adapting and
tailoring it to circumstances. According to Chambers (2008), communication skills,
listening and influencing skills are required when carrying out field work and liaising
with auditees and C-level or board executives within a particular organizational context.
Mihret et al. (2010, p. 240) stressed the crucial skill of internal auditors being able “to
make the ‘tough’ recommendations without fear or favor”.
2.1.5 Organizational characteristics matter including politics and culture, role
ambiguity and role conflict. The overall organizational impact is identified as an
important dimension that influences IA effectiveness (Mihret et al., 2010, p. 241).
Carcello et al. (2005) investigate the question why some companies invest heavily in IA
while others do not. Analyzing data from 217 publicly traded companies in the USA,
Carcello et al. (2005, p. 82) find evidence that IA budgets are higher in companies:
[…] that are larger, have more debt; are in the financial, service, or utility industries, have more
inventory; have greater operating cash flows; and have audit committees that review the
internal audit budgets.
Cohen and Sayag (2010, p. 305) conclude that the effectiveness of IA depends more on
organizational characteristics than on the qualification and work setting of the IA staff.
According to Sawyer (1995), the best set of qualities of an internal auditor may be of
no avail in the absence of an understanding of the politics and culture of an organization.
Chanchani and MacGregor (1999), and also Sarens and Abdolmohammadi (2009 and
2011), point on the significance of the politics and culture of an organization.
Ahmad and Taylor (2009) and Fazli et al. (2013) apply Role Theory (Kahn et al., 1964)
in studying IAFs in Malaysia. Ahmad and Taylor (2009) conclude that role ambiguity
(when it is unclear what is expected and whose expectations shall be met, Kahn et al.,
1964, p. 24) and role conflict (as occurring when two or more sets of pressure cannot be
simultaneously served; Kahn et al., 1964, p. 19) negatively affect the independence of
internal auditors. Similarly, Fazli et al. (2013, p. 6) show that the “clarity of their role is
MAJ imperative in ensuring their effectiveness”, particularly with regard to risk
30,1 management.
As there is limited research on the impact of organizational factors on IA practices,
including the impact of politics and culture of an organization and the phenomena of role
ambiguity and role conflict, further research is warranted.
2.1.6 IA is effective when it is risk based. Modern IA is risk based (Spira and Page,
14 2003), “a good IA service gets to the heart of the issues facing the organization” (NAO,
2012, p. 5). The IIA Performance Standard 2010 (IIARF, 2013) demands risk-based IA
(RBIA), a concept that has been subject to IIA position papers (IIA UK and Ireland, 2005;
IIA, 2009) in the light of the organizational risk management function’s role. The focus
on critical risks and issues, and the importance of RBIA is supported by literature (for
example through Allegrini and D’Onza, 2003; Burnaby and Hass, 2009; Ernst & Young,
2012; PWC, 2010). Sarens and De Beelde (2006a, p. 76) stated that along with the rise of
institutionalized enterprise risk management functions “internal auditors are concerned
about their capacities to play an important role in risk management”. Castanheira et al.
(2010, p. 95) show that “in most entities, individual audits are control-based, and not risk
oriented” when studying company-specific factors associated with the adoption of RBIA
in Portugal. Coetzee and Lubbe (2013) associate the maturity of RBIA with IA
effectiveness: the better the IAF assists with the mitigation of key risks threatening
organizations, the more effectively it operates. Based on the self-assessment of CAEs in
the USA, Sarens et al. (2012) investigate several variables that are theoretically
associated with an IAF having an active role in corporate governance: applying RBIA,
the existence of a quality assurance and improvement program, and AC input to the
audit plan emerge as factors that are significantly and positively associated with an IAF
playing an active role in corporate governance.
2.1.7 Building blocks of IA characteristics. Lenz et al. (2013) study characteristics of
IAFs that help to distinguish between two groups of IAFs with sharply contrasting
levels of perceived effectiveness. By suggesting four key categories to identify, examine
and evaluate the level of IA effectiveness, i.e. organization, IA resources, IA processes
and IA relationships, the study plants the seeds for a potential general theory of IA
effectiveness. Within these dimensions, the study identifies statistically valid
discriminatory characteristics and features to separate the wheat from the chaff. The
presented prior research has its focus in one or more of these four dimensions (for a
summarizing view, see Table I).
A strong corporate governance context is seen as helpful when establishing a
powerful IAF (associated with category 1: organization). The CAE and the IA staff
matter (category 2: IA resources). The competent handling of key processes, especially
RBIA, is associated with IA effectiveness (category 3: IA processes). Empirical studies
based on the self-assessment of internal auditors point to the importance of the
relationships with the board/AC and senior management (category 4: IA relationships).
We will now turn to the second stream of literature.
2.2 The demand-side perspective: how do stakeholders view the role and effectiveness
of IA?
The second stream reviews empirical literature that assesses how other stakeholders
view IA effectiveness. Flesher and Zanzig (2000) suggest that internal auditors and
customers of audit services should possess a common understanding of what makes IA Empirical
a value-added activity. internal audit
Albrecht et al. (1988, p. 3) conclude that what matters most is “that the audit work is
completely consistent with the objectives and role as determined by top management
and the audit committee”. While there is debate in the literature about the ultimate
customer – whether IA is the “eyes and ears of the board or audit committee” and/or “the
eyes and ears of management” (Anderson, 2003; Chambers, 2008) – the internal auditor 15
typically liaises with other internal governance stakeholders, i.e. management, the
board and the AC and external auditors.
2.2.1 Multiple outcomes of IA. Dittenhofer (2001) suggests as measurement criteria
for IA effectiveness the resolution of problems (if there are any) or the (credible)
attestation that there are none. Some IAF may meet the highest standards when making
contributions to strategic issues within an organization (Melville, 2003). Studies by
Mercer (2004), Archambeault et al. (2008) and Holt and DeZoort (2009) indicate that an
IA report can improve stakeholder confidence when it complements an existing
governance disclosure. Moreover, “having an IAF” is, per se, a plus, in terms of the
reporting of unauthorized acts, as the study by Kaplan and Schultz (2007) shows.
Additionally, as Coram et al. (2008) demonstrate, organizations with an IAF are more
likely to detect and self-report fraud caused by misappropriation of assets.
Hermanson et al. (2008) review IA-related problems that were revealed in SOX 404
reports, and provide specific recommendations for building an effective, value-adding
IAF. The absence of reported material weaknesses in the SOX 404 reports caused by
IA-related problems is interpreted as a sign of effectiveness. This being a primary
concern of the board and top management in the aftermath of the bankruptcy of
WorldCom and Enron in the early years since 2002-2003, IA made a difference when it
was effective in that area, contributing to avoid material weaknesses in the internal
control system with financial reporting being the prime area of interest. Similarly, the
study by Lin et al. (2011, p. 288) also linked IA effectiveness with the disclosure of
material internal control weaknesses. Lin et al. (2011) showed that various IA activities
foster IA effectiveness, including the use of quality assurance techniques, grading IA
reports and performing follow-up on issues securing remediation.
Prawitt et al. (2009) attest that IA can play a role in preventing management from
aggressively covering up or manipulating earnings or accounts, as there is greater
transparency and a greater likelihood of discovery.
2.2.2 IA is effective when meeting expectations of management. Albrecht et al. (1988,
p. 7) view the degree of senior management support for the IAF as the most critical factor
in IA effectiveness. The two-sided approach – including CAEs and CEOs in one survey –
provides evidence of a wide chasm (Cooper et al., 1994), pointing to a series of
inconsistencies between actual audit coverage provided by IA departments and the
presumed scope from CEOs’ point of view. The role and scope of IA require clarification
between management and the IAF.
Through five Belgian cases, Sarens and De Beelde (2006b) investigate the
relationship between IA and senior management (CEOs and CFOs), concluding that the
acceptance and appreciation of IA within a given company depend on the support they
receive from senior management. As indicators of such support, the study by Sarens and
De Beelde (2006b, p. 224) references, among others open and direct communication,
input to IA planning, approval of resources, response to IA recommendations and
MAJ keeping IA informed about what is happening in the organization. All these
30,1 dimensions – communication, input, support and caring about IA recommendations and
information – are considered indicators for IA effectiveness.
Lenz (2013) also includes senior management in his study design, showing that the
concept of customer satisfaction (expectation matching) can easily be misleading, as
some managers demand very little of the IAF. Lenz (2013) shows that there can be
16 “moments of truth” when senior management and the CAE interact, moments that can
determine whether the CAE ultimately succeeds or fails in the pursuit of rendering an
effective IA service. Lenz (2013, p. 276) concludes that:
CAEs who interact frequently and in a timely manner with senior management, using
problem-solving communication, help and nurture IA effectiveness, especially when
communication is supported by shared goals, shared knowledge, and mutual respect.
2.2.3 IA is effective when meeting the expectations of the board/AC. The Belgian study
by Sarens et al. (2009) sees the IAF as an expert provider of comfort to the AC related to
what is going on in the company, thereby mitigating the information asymmetry
problem. Formal symbols of comfort like IA reports and presentations and informal
symbols of comfort through private contacts and face-to-face meetings seem to be
important means of providing comfort to the AC.
Soh and Martinov-Bennie (2011, p. 614) view the relationship between the AC and
the IAF as critical to IA effectiveness, drawing particular attention to the
importance of the CAE’s competencies: “a good CAE is able to work with other
stakeholders in the organization and is not afraid to voice his or her opinion even in
controversial situations.”
2.2.4 IA is effective when meeting expectations of external auditors. Considerable
research has been conducted to assess IA effectiveness from the perspective of external
auditors noting that there is uncertainty among external audit (EA) whether IA is a
significant player in the governance arena or rather “an assistant carrying out the
directions of the audit committee and the board” (Cohen et al., 2010, p. 780). This points
to concerns about independence of IA with internal auditors typically paid by the
organization to which they are supposed to render independent assurance and
consulting services. The ability to manage threats to objectivity and independence is
central, acknowledging that the attempted differentiation between independence in
appearance, and independence, in fact (in mind), may not be a convincing concept in
practice (Mutchler, 2003).
The question of IA effectiveness matters to external auditors; they may have to
discuss with the AC the quality of the IAF and the extent to which they are able to rely
on the work performed by IA (Cohen et al., 2007). The study by Gramling et al. (2004,
p. 236) acknowledges that there is uncertainty regarding which criteria are relevant to
IAF quality evaluations, concluding that “literature provides little guidance as to which
IAF factors should be enhanced if an organization desires to increase IAF quality”.
When determining the external auditor’s reliance decision, objectivity (reporting
relations), work performance (coverage) and professional competence are the criteria
typically chosen. Krishnamoorthy (2002) approximates these criteria by two observable
values each, like professional certifications or the level to which IA reports, to assess
competence or objectivity. Other studies of that kind apply the same pattern, with
observable variables tending to approximate the three criteria (Desai and Desai, 2010).
Felix et al. (2001, p. 530) suggest that IA contribution is a significant determinant of Empirical
the external audit fee, i.e. the greater the contribution of IA to the financial statement internal audit
audit, the lower the audit fee. A later study by Felix et al. (2005) shows that the client
pressure is more important than the perceived quality of IA when determining the
extent of IA reliance. When significant non-audit services are provided, IA reliance
tends to increase regardless of perceived IA quality. When the IAF is used as a
management training ground, internal auditors are viewed by external auditors not as 17
less competent but as less objective, so higher fees are charged (Messier et al., 2011).
When assessing IA effectiveness from an EA perspective, the higher the utilitarian
benefit for EA, the higher IA quality is perceived. The value that EA sees in IA is
dominated by the reliance question. The more the work of IA is related to the topics of
EA, the more appreciative EA may become. As the EA is financially oriented, its focus
can be far from the areas where IA may make a difference. Modern IA shall be risk based
which does not necessarily make financial reporting-related matters a priority. Thus,
EA reliance as an indicator of IA effectiveness can be misleading.
While there is much research about the collaboration between IA and EA from an EA
point of view, research about that collaboration would also be warranted from an IA
perspective. Such research may help to examine and address the Institute of Internal
Auditors’ (IIA) observation that “IA continues to be perceived as the step daughter of
public accounting” (IIA, 2013, p. 10).
2.2.5 IA is effective when meeting expectations of auditees. This subject matter is still
under-examined. While Arena and Azzone (2009b) point out that the effectiveness of IA
depends upon the quality perceived by the auditees for it is management that will or will
not implement recommendations made by the IAF, Elliott et al. (2007) conclude that IA
reports are not always well received, they are sometimes not perceived well and their
findings are not always viewed as particularly significant, at times as trivial.
2.2.6 Effective internal auditors require skills and competencies. Albrecht et al. (1988,
p. 6) view IA effectiveness as being a result of capable leadership by the incumbent CAE.
The dimension of personality is viewed as an essential factor impacting IA
effectiveness. Mihret et al. (2010, p. 240) stress the crucial skill of being able “to make the
‘tough’ recommendations without fear or favour”. Similarly, Soh and Martinov-Bennie
(2011, p. 614) emphasize “a good CAE is able to work with other stakeholders in the
organization and is not afraid to voice his or her opinion even in controversial
situations”.
Cahill (2006) presented a case in which IA identified a major issue – the malpractice
of interest loading in a bank – but failed to communicate the findings clearly to the AC.
As internal auditors typically impact organizations through others, communication and
influencing skills are instrumental to ensure that important recommendations are
resolved in a timely fashion. Understanding and support need to be secured by audit
clients and other stakeholders when they aim to convert suggestions for improvement
into action, to prevent things from going wrong, fix what is broken or to make what is
good even better.
Rittenberg and Anderson (2006) present the ideal profile of a skilled and qualified
CAE, a profile deemed fully satisfying when improving corporate governance and
internal controls, as well as partnering with senior management and the AC. The key
performance criteria for CAEs include stature and presence, strategic audit focus, the
MAJ ability to exercise sound judgment and the capacity to communicate clearly on audit
30,1 issues.
Section 3 synthesizes the main threads into a model, comprising macro and micro
factors that influence IA effectiveness.
IA resources
MACRO factors
IA relaonships
4.1 IA relationships
Interpersonal factors are regarded critical in determining IA effectiveness. The
relationship between IA, respectively, the CAE and IA staff, and senior management
and the board/AC will continue to be an important research field, also addressing the
classic “serving two masters” scenario. The relationship between CAE, respectively
internal auditors, and auditees on the other hand, represents a new research field:
• How shall the IAF be best positioned in the organization’s overall governance, risk
management and compliance infrastructure?
• The past years led to an expanded but blurred description of governance roles in
intra- and inter-professional discourse, as well as in pronounced frameworks and
guidance. Conciseness and effectiveness of good practice models mandate the
development of a commonly applicable, cross-sectoral model of governance, risk
and control functions and roles, as well as their interfaces. Can we develop a
common model and what would be its key features?
• Why do some stakeholders fail to understand the value of IA? How can better
alignment between IA and both, senior management and the board/AC, be
achieved?
• How can we resolve the chicken and egg problem in IA effectiveness? What do we
know about the causality of effective IA? While the influence of the relational
dimension between CAE and senior management (and the board/AC) is viewed as
important, there is little knowledge about the direction of the effect. Successful
interpersonal interaction between the CAE and senior management, as well as the
board/AC, can lead to actual and/or perceived IA effectiveness. On the other hand,
rendering an actual and/or perceived to be effective IA service may also lead to
improved interpersonal relations. Experimental research could provide further
insights into this “chicken and egg” problem, namely, the causality of IA
effectiveness.
• When measuring IA effectiveness, is using the extent to which senior
management’s expectations are met the “silver bullet” or, in practice, can that be
misleading as senior management may have too low expectations of IA?
MAJ • When measuring IA effectiveness, is using the extent to which the board/AC’s
30,1 expectations are met the “silver bullet” or, in practice, can that be misleading as the
board/AC link may cause unexpected and adverse implications (Rose and
Norman, 2008; Norman et al., 2010)?
• What is the relationship and influence of IA work and its quality/effectiveness on
board effectiveness and vice versa? What can we learn from cases of best practice?
22
• What can we learn from research about the collaboration between IA and EA from
an IA point of view?
• Under which conditions can reliance by EA on IA be a helpful indicator of IA
effectiveness in practice, and when can it be dangerously misleading? Can a
comprehensive list of criteria for reliance on IA’s work be determined?
• What do we know about the relationship between IA and the auditee in practice?
What are the key skills and competencies that help obtain acceptance and
appreciation of IA findings so that the auditee eventually resolves surfacing issues
in practice?
4.2 IA processes
There is still ambiguity concerning the processes, purpose and activities of IA. Leading
questions may facilitate a deeper understanding and appreciation as to why we have
internal auditors, what internal auditors are tasked to do in practice, how they operate,
what they are rewarded for and what successful internal auditors do differently in
comparison to their less successful peers:
• What are the key processes and success factors when setting up an IAF?
• What are the features of a common capability and maturity model for the IAF,
based on a generic methodology and taxonomy as provided through the globally
adopted ISO 15504 model?
• What do IA and its stakeholders actually know about the core concept of
providing assurance? What does it mean to them?
• What precisely does “a right balance” between assurance services and consulting
engagements mean? How is it found in IA practice? Is blending a legitimate
concept?
• What are the differences and/or similarities between the “assurance and
consulting concept” of IA and the EA profession? What is the impact of role
ambiguity and role conflict between an IAF and its stakeholders?
• Can it be empirically confirmed that more effective IAFs’ scope covers all or most
of the organizational Governance, Risk and Compliance functions? Is providing a
more integrated assurance function the future role model of IA?
• Is there any hypocrisy or dissonance between rhetoric and practice as far as the
positioning of IAFs is concerned? If so, what useful purpose may it serve, what are
the risks?
• What are the experiences and consequences when IA aims at scaling-up its value
proposition to key stakeholders, for example, migrating from policing and
double-checking to a risk-, control- and governance-based IA approach?
• What do we know about the rationale and considerations (pros and cons) in Empirical
practice of rating (or not rating) individual findings? How does rating impact internal audit
relationships and effectiveness, in the short and long-term?
• What do we know about the rationale and considerations (pros and cons) in
practice of grading (or not grading) an overall IA report? How does grading impact
relationships and effectiveness? Which phenomena can be observed, short- and
long-term? 23
• What can we learn from moments of discomfort experienced by CAEs in the
frequently inherent conflicts with other governance stakeholders, which may be
highly significant factors on IA effectiveness? To which extent does research on
the “Deaf Effect” and “Bounded Rationality” (Nuijten, 2012) explain such
“moments of truth”?
• Why do some IAFs refrain from complementing their skill set by co-sourcing
activities and thereby possibly limiting their impact? Are there measurable
positive and negative effects of choosing such an approach?
• What do we know about IA as a credence good (Causholli, 2009) and the influence
of “soft factors” on IA effectiveness?
• What can we learn from metaphors about IA? What are metaphors and
self-images that can make a positive difference, and can create a unique and
sustainable organizational identity for IA?
• How can IA best benefit from technology and advanced data analytics?
4.3 IA resources
People matter. The role and impact of personal characteristics of the CAE and internal
auditors deserves further attention in research, especially the “soft factors” represent a
promising research arena. Personality matters, and, as it is assumed to have an influence
on the thinking, behavior and activity of internal auditors, it merits further attention.
The behavioral dimension deserves particular attention in future empirical research.
The core differentiator between the strong and the weak internal auditor may be rather
behavioral than cognitive. Knowledge or its lack may not be the prime challenge in
practice, but rather the right behavior:
• How can the IAF’s talent pool keep up with the evolving risk portfolio of the
organization?
• What can we learn about the influence of personality factors on IA effectiveness by
exploiting the metaphors of “swimming in the organization” and
“Fingerspitzengefühl” (Lenz, 2013)?
• What can we learn about the influence of personality factors on IA effectiveness
from formal psychometric profiles of CAEs and correlated professionally revealed
personality types with the effectiveness of an IAF?
• Can the CAE become a change agent, and, if so, what are favorable conditions for
doing so?
• What are career patterns of CAEs/internal auditors and on what basis are career
choices made to move into the IA profession and out again?
MAJ • Why is IA often seen as a springboard, whereas EA has clearer career paths
30,1 supporting lifelong professional involvement?
• What do we know about the effectiveness of career auditors versus those who stay
in the profession only temporarily and who have experienced other activities prior
to entering the auditing field? What are the consequences of audit functions and
audit assignments?
24
• Are there optimum life cycle patterns for performing IA most effectively? For
example, the hypothesis that between three and seven years after induction a
turning point develops at which internal auditors/CAEs may become too
comfortable and lose their cutting-edge abilities?
• How best can IA be learnt and taught?
4.4 Organization
IA does not operate in isolation. Without a business, there is no IA. The impact on IA of
the specific organizational context merits further research to deepen understanding of
factors, which may limit or enhance IA effectiveness:
• What is the relationship between the quality and effectiveness of IA work and that
of the organization, and how and to what extent does each influence the other? Is
it adequate to conclude that high organizational effectiveness nurtures and low
organizational effectiveness may hamper IA effectiveness? Which indicators
matter? How are such indicators correlated?
• What are the influences of organizational factors and associated corporate
cultures on IA effectiveness? Which insight provides the examination of hidden
champions (Simon, 2009)?
• Why do some IAFs have no charter that clearly scopes the role and mandate of IA
in the organization? What are the consequences, can we learn from existing
empirical data?
• What is the influence of the organizational life-cycle and maturity on IA
effectiveness?
• What is the relationship between CAE’s professional/personal characteristics and
the IAF’s role in corporate governance?
• What can we derive from research into the cyclical corporate governance disasters
throughout the past decades, what the IAF has or has not done, what it was
expected to do and how it could have had the right influence? To what extent can
insights and patterns from past challenges color the image of an effective IAF?
• Are there reliable hard measures of IA effectiveness or is IA effectiveness
ultimately all about soft factors?
• Can we find cases of IA effectiveness based on validated secondary indicators like
fraud or financial performance? If so, are there recent cases providing evidence
that more effective IA leads to less fraud and better financial performance?
References
Abbott, L.J., Parker, S. and Peters, G.F. (2010), “Serving two masters: the association between audit
committee internal audit oversight and internal audit activities”, Accounting Horizons,
Vol. 24 No. 1, pp. 1-24.
Ahmad, Z. and Taylor, D. (2009), “Commitment to independence by internal auditors: the effects of
role ambiguity and role conflict”, Managerial Auditing Journal, Vol. 24 No. 9, pp. 899-925.
Albrecht, W.S., Howe, K.R., Schueler, D.R. and Stocks, K.D. (1988), Evaluating the Effectiveness of
Internal Audit Departments, The Institute of Internal Auditors Research Foundation,
Altamonte Springs, FL.
Allegrini, M. and D’Onza, G. (2003), “Internal auditing and risk assessment in large Italian
companies: an empirical survey”, International Journal of Auditing, Vol. 7 No. 3,
pp. 191-208.
Al-Twaijry, A.A.M., Brierley, J.A. and Gwilliam, D.R. (2003), “The development of internal audit
in Saudi Arabia: an institutional theory perspective”, Critical Perspectives on Accounting,
Vol. 14 No. 5, pp. 507-531.
Anderson, R. (2009), Corporate Risk Management, Report Commissioned by OECD, Paris.
Anderson, U. (2003), Assurance and Consulting Services, IIA Research Foundation, Altamonte
Springs, FL.
Archambeault, D.S., DeZoort, T. and Holt, T.P. (2008), “The need for an internal auditor report to
external stakeholders to improve governance transparency”, Accounting Horizons, Vol. 22
No. 4, pp. 375-388.
Arena, M., Arnaboldi, M. and Azzone, G. (2006), “Internal audit in Italian organizations: a multiple
case study”, Managerial Auditing Journal, Vol. 21 No. 3, pp. 275-292.
Arena, M. and Azzone, G. (2009a), “Identifying organizational drivers of internal audit
effectiveness”, International Journal of Auditing, Vol. 13 No. 1, pp. 43-60.
Arena, M. and Azzone, G. (2009b), “Internal audit effectiveness: relevant drivers of auditees
satisfaction”, Working paper, 7th European Academic Conference on Internal Audit and
Corporate Governance, Cass Business School, London.
Bailey, D., Gramling, A.A. and Ramamoorti, S. (2003), Research Opportunities in Internal
Auditing, The Institute of Internal Auditors Research Foundation, Altamonte Springs, FL.
Beasley, M.S., Carcello, J.V., Hermanson, D.R. and Neal, T.L. (2009), “The audit committee
oversight process”, Contemporary Accounting Research, Vol. 26 No. 1, pp. 65-122.
Brierley, J.A., Hussein, M.E. and Gwilliam, D.R. (2001), “The problems of establishing internal
audit in the Sudanese public sector”, International Journal of Auditing, Vol. 5 No. 1,
pp. 73-87.
MAJ Burnaby, P. and Hass, S. (2009), “Ten steps to enterprise-wide risk management”, Corporate
Governance, Vol. 9 No. 5, pp. 539-550.
30,1
Burns, D.C., Greenspan, J.W. and Hartwell, C. (1994), “The state of professionalism in internal
auditing”, The Accounting Historians Journal, Vol. 21 No. 2, pp. 85-116.
Cahill, E. (2006), “Audit committee and internal audit effectiveness in a multinational bank
subsidiary: a case study”, Journal of Banking Regulation, Vol. 7 No. 1, pp. 160-179.
28 Carcello, J.V., Hermanson, D.R. and Raghunandan, K. (2005), “Factors associated with US
public companies’ investment in internal auditing”, Accounting Horizons, Vol. 19 No. 2,
pp. 69-84.
Castanheira, N., Rodrigues, L.L. and Craig, R. (2010), “Factors associated with the adoption of
risk-based internal auditing”, Managerial Auditing Journal, Vol. 25 No. 1, pp. 79-98.
Causholli, M. (2009), “Audits as credence goods: what do auditors know and how do they use their
information”, dissertation presented to the Graduate School of the University of Florida in
Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy.
Chambers, A. (1992), Effective Internal Audits, How to Plan and Implement, Pitman Publishing,
Boston, MA.
Chambers, A. (2008), “The board’s black hole – filling their assurance vacuum, can internal audit
rise to the challenge”, Measuring Business Excellence, Vol. 12 No. 1, pp. 47-63.
Chanchani, S. and MacGregor, A. (1999), “A synthesis of cultural studies in accounting”, Journal
of Accounting Literature, Vol. 18 No. 1, pp. 1-30.
Christopher, J., Sarens, G. and Leung, P. (2009), “A critical analysis of the independence of the
internal audit function: evidence from Australia”, Accounting, Auditing & Accountability
Journal, Vol. 22 No. 2, pp. 200-220.
Coetzee, P. and Lubbe, D. (2013), “Improving the efficiency and effectiveness of risk-based internal
audit engagements”, International Journal of Auditing, Vol. 18 No. 2, pp. 115-125.
Cohen, A. and Sayag, G. (2010), “The effectiveness of internal auditing: an empirical examination
of its determinants in Israeli organizations”, Australian Accounting Review, Vol. 20 No. 3,
pp. 296-307.
Cohen, J., Gaynor, L.M., Krishnamoorthy, G. and Wright, A. (2007), “Auditor communications
with the audit committee and the board of directors: policy recommendations and
opportunities for future research”, Accounting Horizons, Vol. 21 No. 2, pp. 165-187.
Cohen, J., Krishnamoorthy, G. and Wright, A. (2010), “Corporate governance in the
Post-Sarbanes-Oxley Era: auditors’ expectations”, Contemporary Accounting Research,
Vol. 27 No. 3, pp. 751-786.
Cooper, B.J., Leung, P. and Mathews, C. (1994), “Internal audit: an Australian profile”, Managerial
Auditing Journal, Vol. 9 No. 3, pp. 13-19.
Coram, P., Ferguson, C. and Moroney, R. (2008), “Internal audit, alternative audit structures and
the level of misappropriation of assets fraud”, Accounting and Finance, Vol. 48 No. 4,
pp. 543-559.
Davies, M. (2009), “Effective working relationships between audit committees and internal audit
– the cornerstone of corporate governance in local authorities, a Welsh perspective”, Journal
of Management & Governance, Vol. 13 Nos 1/2, pp. 41-73.
de Zwaan, L., Stewart, J. and Subramaniam, N. (2011), “Internal audit involvement in enterprise
risk management”, Managerial Auditing Journal, Vol. 26 No. 7, pp. 586-604.
Desai, R. and Desai, V. (2010), “Towards a decision aid for external audit evaluation of the internal
audit function”, The Journal of Global Business Issues, Vol. 4 No. 1, pp. 69-72.
DiMaggio, P.J. and Powell, W.W. (1983), “The iron cage revisited: institutional isomorphism and Empirical
collective rationality in organizational fields”, American Sociological Review, Vol. 48 No. 2,
pp. 147-160.
internal audit
Dittenhofer, M. (2001), “Internal audit effectiveness: an expansion of present methods”,
Managerial Auditing Journal, Vol. 16 No. 8, pp. 443-450.
Drucker, P. (1985), Innovation and Entrepreneurship, Harper & Row, ISBN 9780060913601, New
York. 29
Elliott, M., Dawson, R. and Edwards, J. (2007), “An improved process model for internal auditing”,
Managerial Auditing Journal, Vol. 22 No. 6, pp. 552-565.
El-Sayed Ebaid, I. (2011), “Internal audit function: an exploratory study from Egyptian listed
firms”, International Journal of Law and Management, Vol. 53 No. 2, pp. 108-128.
Ernst & Young (2012), The Future of Internal Audit is Now, Increasing Relevance by Turning Risk
into Results, Ernst & Young Global, New York, NY.
Fazli, A.S., Muhammaddun, M.Z. and Ahmad, A. (2013), “The effects of personal and
organizational factors on role ambiguity amongst internal auditors”, International Journal
of Auditing, Vol. 18 No. 2, pp. 105-114.
Felix, W.L.J.R., Gramling, A.A. and Maletta, M. (2001), “The contribution of internal audit as a
determinant of external audit fees and factors influencing this contribution”, Journal of
Accounting Research, Vol. 39 No. 3, pp. 513-534.
Felix, W.L.J.R., Gramling, A.A. and Maletta, M. (2005), “The influence of nonaudit service
revenues and client pressure on external auditors’ decisions to rely on internal audit”,
Contemporary Accounting Research, Vol. 22 No. 1, pp. 31-53.
Flesher, D.L. and Zanzig, J.S. (2000), “Management accountants express a desire for change in the
functioning of internal auditing”, Managerial Auditing Journal, Vol. 15 No. 7, pp. 331-337.
Geis, A. (2010), “Nutzenpotentiale der internen revision”, Dissertation.
German Corporate Governance Code (2013), “Deutscher Corporate Governance Kodex,
Fassung vom 13. Mai”, Bundesministerium der Justiz, elektronischer Bundesanzeiger
BAnz AT.
Goodwin, J. (2003), “The relationship between the audit committee and the internal audit function:
evidence from Australia and New Zealand”, International Journal of Auditing, Vol. 7 No. 3,
pp. 263-278.
Goodwin, J. and Yeo, T.Y. (2001), “Two factors affecting internal audit independence and
objectivity: evidence from Singapore”, International Journal of Auditing, Vol. 5 No. 2,
pp. 107-125.
Gramling, A.A., Maletta, M.J., Schneider, A. and Church, B.K. (2004), “The role of the internal
audit function in corporate governance: a synthesis of the extant internal auditing
literature and directions for future research”, Journal of Accounting Literature, Vol. 23,
pp. 192-244.
Halimah, N.A., Othman, R., Othman, R. and Kamaruzaman, J. (2009), “The effectiveness of internal
audit in Malaysian public sector”, Journal of Modern Accounting and Auditing, Vol. 5 No. 9,
pp. 53-62.
Hermanson, D.R., Ivancevic, D.M. and Ivancevic, S.H. (2008), “Building an effective internal audit
function: learning from SOX sections 404 reports”, Review of Business, Vol. 28 No. 2,
pp. 13-28.
Holt, T.P. and DeZoort, T. (2009), “The effects of internal audit report disclosure on investor
confidence and investment decisions”, International Journal of Auditing, Vol. 13 No. 1,
pp. 61-77.
MAJ Hoos, F. (2010), Effective Corporate Governance: Experimental Evidence on International
Auditors’ Judgments and the Contribution of Financial Accounting Education, Faculté des
30,1 hautes etudes commerciales, Université de Lausanne.
IIA (2009), “The role of internal auditing in enterprise-wide risk management”, Position Paper,
The Institute of Internal Auditors, Altamonte Springs, FL.
IIA (2013), “Rethinking the future of audit - internal audit is at a crossroads”, The Institute of
30 Internal Auditors, The Austin Chapter Research Committee.
IIA UK and Ireland (2005), “An approach to implementing risk based internal auditing”,
Professional guidance for internal auditors.
IIARF (2003), Internal Audit Reporting Relationships: Serving Two Masters, IIA Research
Foundation, Altamonte Springs, FL.
IIARF (2010), “Global summary of the common body of knowledge study 2010”,
Characteristics of an Internal Audit Activity, Report I, IIA Research Foundation,
Altamonte Springs, FL.
IIARF (2013), International Professional Practice Framework (IPPF), IIA Research Foundation,
Altamonte Springs, FL.
Jeppesen, K.K. (2010), “Strategies for dealing with standard-setting resistance”, Accounting,
Auditing & Accountability Journal, Vol. 23 No. 2, pp. 175-200.
Kahn, R.L., Wolfe, D.M., Quinn, R.P. and Snoek, J.D. (1964), Organizational Stress: Studies in Role
Conflict and Ambiguity, John Wiley & Sons, New York, London, Sydney.
Kaplan, S.E. and Schultz, J.J. (2007), “Intentions to report questionable acts: an examination of the
influence of anonymous reporting channel, internal audit quality, and setting”, Journal of
Business Ethics, Vol. 71 No. 2, pp. 109-124.
KPMG (2009), The Audit Committee Journey, Audit Committee Institute, KPMG, London.
Krishnamoorthy, G. (2002), “A multistage approach to external auditor’s evaluation of the
internal audit function”, Auditing: A Journal of Practice and Theory, Vol. 21 No. 1,
pp. 95-121.
Lenz, R. (2013), “Insights into the effectiveness of internal audit: a multi-method and
multi-perspective study”, dissertation at the Université catholique de Louvain - Louvain
School of Management Research Institute.
Lenz, R. and Sarens, G. (2012), “Reflections on the internal auditing profession: what might have
gone wrong?”, Managerial Auditing Journal, Vol. 27 No. 6, pp. 532-549.
Lenz, R., Sarens, G. and D’Silva, K. (2013), “Probing the discriminatory power of characteristics of
internal audit functions: sorting the wheat from the chaff”, International Journal of
Auditing, Vol. 18 No. 2, pp. 126-138.
Lin, S., Pizzini, M., Vargus, M. and Bardhan, I.R. (2011), “The role of the internal audit function
in the disclosure of material weaknesses”, The Accounting Review, Vol. 86 No. 1,
pp. 287-323.
Melville, R. (2003), “The contribution internal auditors make to strategic management”,
International Journal of Auditing, Vol. 7 No. 3, pp. 209-222.
Mercer, M. (2004), “How do investors assess the credibility of management disclosures?”,
Accounting Horizons, Vol. 18 No. 3, pp. 185-196.
Messier, W.F., Reynolds, K.J., Simon, C.A. and Wood, D.A. (2011), “The effect of using the internal
audit function as a management training ground on the external auditor’s reliance
decision”, The Accounting Review, Vol. 86 No. 6, pp. 2131-2154.
Mihret, D.G., James, K. and Mula, J.M. (2010), “Antecedents and organizational performance Empirical
implications of internal audit effectiveness”, Pacific Accounting Review, Vol. 22 No. 3,
pp. 224-252.
internal audit
Mihret, D.G. and Yismaw, A.W. (2007), “Internal audit effectiveness: an Ethiopian public sector
case study”, Managerial Auditing Journal, Vol. 22 No. 5, pp. 470-484.
Mutchler, J.F. (2003), Independence and Objectivity: A Framework for Research Opportunities in
Internal Auditing, IIA Research Foundation, Altamonte Springs, FL. 31
National Audit Office (NAO) (2012), “The effectiveness of internal audit in central government:
HM treasury”, HC 23, Report by the Comptroller and Auditor General, Session 2012-13, 20
June.
Nobel, C. (2010), Managing the Support Staff Identity Crisis, Working Knowledge, Harvard
Business School, Boston, MA.
Norman, C.S., Rose, A.M. and Rose, J.M. (2010), “Internal audit reporting lines, fraud risk
decomposition, and assessments of fraud risk”, Accounting, Organizations and Society,
Vol. 35 No. 5, pp. 546-557.
Nuijten, A. (2012), “Deaf effect for risk warnings”, Dissertation at the Erasmus University –
Erasmus Research Institute of Management, Rotterdam.
Parasuraman, A., Zeithaml, V.A. and Berry, L.L. (1985), “A conceptual model of service quality
and its implications for future research”, Journal of Marketing, Vol. 49, pp. 41-46.
Pforsich, H.D., Peterson Kramer, B.K. and Just, G.R. (2006), “Establishing an effective internal
audit department”, Strategic Finance, Vol. 87 No. 10, pp. 22-29.
Pforsich, H.D., Peterson Kramer, B.K. and Just, G.R. (2008), “Establishing an internal audit
department: the case of the Schwan food company”, Global Perspective on Accounting
Education, Vol. 5, pp. 1-16.
Power, M. (1997), The Audit Society, Rituals of Verification, Oxford University Press, New York,
NY.
Prawitt, D.F. (2003), Managing the Internal Audit Function, IIA Research Foundation, Altamonte
Springs, FL.
Prawitt, D.F., Smith, J.L. and Wood, D.A. (2009), “Internal audit quality and earnings
management”, The Accounting Review, Vol. 84 No. 4, pp. 1255-1280.
PWC (2010), A Future Rich in Opportunity: Internal Audit Must Seize Opportunities to Enhance its
Relevancy, State of the Internal Audit Profession Study, PricewaterhouseCoopers, London.
PWC (2013), Reaching Greater Heights: Are You Prepared for the Journey? State of the Internal
Audit Profession Study, PricewaterhouseCoopers, London.
Raghunandan, K., Read, W.J. and Rama, D.V. (2001), “Audit committee composition, ‘Gray
Directors’, and interaction with internal auditing”, Accounting Horizons, Vol. 15 No. 2,
pp. 105-118.
Rezaee, Z. and Lander, G.H. (1993), “The internal auditor’s relationship with the audit committee”,
Managerial Auditing Journal, Vol. 8 No. 3, pp. 35-40.
Ridley, J. (2008), Cutting Edge Internal Auditing, John Wiley & Sons, Ltd, Chichester, England.
Rittenberg, L.E. and Anderson, R. (2006), “A strategic player, hiring and inspiring a chief audit
executive”, Journal of Accountancy, Vol. 202 No. 1, pp. 51-54.
Rose, J. and Norman, C.S. (2008), Internal Audit Reporting Lines, Fraud Risk Decomposition, and
Assessments of Fraud Risk, The IIA Research Foundation, Altamonte Springs, FL.
Sarens, G. and Abdolmohammadi, M.J. (2009), “Cultural dimension and professionalism and
uniformity of Internal Auditing practice”, Working paper, The Canadian Academic
MAJ Accounting Association (CAAA) Annual Conference 2010, Vancouver, British Columbia,
Canada.
30,1
Sarens, G. and Abdolmohammadi, M.J. (2011), “Factors associated with convergence of internal
auditing practices: emerging vs developed countries”, Journal of Accounting in Emerging
Economies, Vol. 7 No. 1, pp. 104-122.
Sarens, G., Abdolmohammadi, M.J. and Lenz, R. (2012), “Factors associated with the internal audit
32 function’s role in corporate governance”, Journal of Applied Accounting Research, Vol. 13
No. 2, pp. 191-204.
Sarens, G. and De Beelde, I. (2006a), “Internal auditors’ perception about their role in risk
management”, Managerial Auditing Journal, Vol. 21 No. 1, pp. 63-80.
Sarens, G. and De Beelde, I. (2006b), “The relationship between internal audit and senior
management: a qualitative analysis of expectations”, International Journal of Auditing,
Vol. 10 No. 3, pp. 219-241.
Sarens, G., De Beelde, I. and Everaert, P. (2009), “Internal audit: a comfort provider to the audit
committee”, The British Accounting Review, Vol. 41 No. 2, pp. 90-106.
Sawyer, L.B. (1995), “An internal audit philosophy”, Internal Auditor, Vol. 52 No. 4.
Scarbrough, D.P., Rama, D.V. and Raghunandan, K. (1998), “Audit committee composition and
interaction with internal auditing: Canadian evidence”, Accounting Horizons, Vol. 12 No. 1,
pp. 51-62.
Simon, H. (2009), Hidden Champions of the 21st Century, Springer-Verlag.
Soh, D.S.B. and Martinov-Bennie, N. (2011), “The internal audit function, perceptions of internal
audit roles, effectiveness and evaluation”, Managerial Auditing Journal, Vol. 26 No. 7,
pp. 605-622.
Spira, L.F. and Page, M. (2003), “Risk management: the reinvention of internal control and the
changing role of internal audit”, Accounting, Auditing & Accountability Journal, Vol. 16
No. 4, pp. 640-661.
Van Peursem, K.A. (2005), “Conversations with internal auditors, the power of ambiguity”,
Managerial Auditing Journal, Vol. 20 No. 5, pp. 489-512.
For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com